Last week I was flabbergasted when a colleague was offered a list of my friends and (OMG!) friends of friends, after signing up and adding me on Facebook. Why did this happen? I wasn’t able to replicate this ‘feature’ exactly, however, I was able, without much effort to retrieve my own friends list anonymously, even though it is purposefully hidden from everyone. Add this unintentional feature to the ‘real name from email’ vulnerability and you have a powerful information tool in Facebook.
First of all let me just say that I adore Facebook. I study it religiously and wonder endlessly how and why it does what it does. I am also a Facebook evangelist and regularly demystify it for my friends and colleagues. I change my privacy settings regularly, trying to find that magic setting that will let people find me if they must but decrease the amount of friend adds by ‘guys I don’ t know’. One thing is for sure, I hide my friend’s list from those who are not my friends. Why? Because more than 75% of my female friends are ‘alt’. They are awesome and influential lesbians, drag kings, trans folks, feminists, roller derby gals, performance artists, burlesque dancers, comedians, authors and a surprisingly large amount of sex educators! I would not change my friends for the world. They kick ass in poetic ways and are true inspirations. I got to know a few of them by sharing Web ninja skills and the rest is awesome history. However, I do not control who THEIR friends are and in a case that was horrifyingly embarrassing for me, I saw THEM and their borderline NSFW profile pictures suggested to a colleague in a very traditional business setting! So does this mean that all the colleagues and business folks I add as friends face the same situation? This has forced me to reconsider how I can contribute to the business Facebook community and in my work when if I cannot rely on Facebook privacy settings. ;-(
So on to the features:
By now you probably know that it is possible to retrieve someone’s full name from their e-mail address (provided this e-mail is listed in their account under primary or secondary), just enter the e-mail as you would in the sign-on and fudge any password. I am a bit surprised that this hasn’t been changed. Even though Facebook states that it would be against their user policy to IP fudge & batch scrape real names from a list, e-mail pirates can do this without actually ever creating an account or being a Facebook user. And Mark Zuckerberg should know this because it is (if we can believe TSN) how he gathered all those girl’s pictures from the University Web directories for his little overnight hot or not experiment. As I have had the same e-mail addresses since 1994, I do not believe it would be possible to get more quasi personalized spam than I already do! While this is annoying, probably does not change much for me and I am happy to see my picture doesn’t show up.
After you have that one full name of a person you require more info about, you will create a Facebook account using a valid e-mail. You do not even have to use a real e-mail, just as long as it passes the validation. You can try accessing the “Find Friends” feature and choosing the last option (click more to be offered that option.) Enter the name of your ‘friend in common’. Get nothing? Add that person as a friend and see what happens. Now when I did this I saw everyone but 20 of my friends. I suspect their privacy setting were ‘hidden in search’ but 247 out of 265 is a lot of friends on a page! And I also must add that I did all of this without ever confirming my made up e-mail address and without my fake profile being ACCEPTED as a friend by the real me.
I have explained this in an effort to tell you how Facebook has caused me great disappointment by giving out information in a way that is totally contrary to the privacy settings I had set. It would be unethical to use these ‘features’ to harass or annoy anyone online. Though I should mention that in the past I have used my Facebook ninja skills to track victims and help the police put a very active scammer back in jail and I am sure he felt royally annoyed but I never used any ‘unintentional features’ to do so or or fake profile. In fact I do not want to have two profiles to segregate social and work friends, ALL my friends are cool and co-exist beautifully in the new circle of transparency.
I believe Facebook is not evil, it simply wants to be useful in connecting me with the people I care about. It is the fact that it is more and more omnipresent that the two features I have just demonstrated can have unforeseen consequences. Imagine if used together, how they can kick a phishing business in high gear!